Let me be clear first and foremost: I do not think installing a backdoor in security algorithms is a good idea. They undermine the trust in the software and in the company that provides the service. That being said, I do agree that encryption provides a certain measure of protections for criminals and malicious actors against legitimate inquiries by authorities, which in turn can lead to dangerous situations.

I am also aware that cryptography is an INCREDIBLY complex subject matter, which should be left to the professionals with many years of experience. That said, in the below question, I will attempt to leave the creation of the cryptographic algorithm to the pros.

Now, the main question: Imagine a scheme like this:

A new algorithm is developed with equal security as the current standards. In effect, the algorithm that replaces AES would be just as hard to crack as AES if you do not know the key.

This algorithm generates one extra unique decryption key when used. This key is then sent via a secure channel (i.e. HTTPS or equivalent) to an NGO with the sole duty of guarding these keys. As soon as the tool gets confirmation that it is delivered, the tool securely deletes this key. The key is always different and strong enough that brute-forcing is not feasible. In addition, the encryption software will require a usable connection to the NGO via internet when the encryption is started to ensure that the key can be sent.

Once the key arrives, it is stored in an offline, airgapped database that can only be accessed in a single room with rigourous safety. In addition, the database and the machine it is located have tamper protection, similar to tamper protection on bank transports: any access that's out of the ordinary, like too many requests within a certain period or too many faulty requests, and the machine gets wiped.

When a legitimate law enforcement organization has need of a key to decrypt, it sends a formal request to the NGO. The NGO first analyzes the request based on the importance of the request. the NGO allows decryption when the suspect is strongly incriminated by other evidence, and only in the case of terrorism, murder or abuse of a minor (which are probably the only widely accepted reasons for public opinion).

If the NGO allows decryption, a trusted employee of the NGO goes to the room the database is accessible from and downloads the key on a read-only medium with similar tamper protection as the database. This medium is then handed over to the law enforcement organization that originally requested it. At this point, normal law enforcement will take over.

Assuming all of the above is feasible, what problems can arise from this system?

10 Answers
10

In addition to the points mentioned by Lucas Kauffman I would elaborate on point two:

2.This algorithm generates one extra unique decryption key when used. This key is then sent via a secure channel (i.e. HTTPS or equivalent) to an NGO with the sole duty of guarding these keys. As soon as the tool gets confirmation that it is delivered, the tool securely deletes this key.

What would stop someone from implementing the algorithm but omitting the part where the second key gets sent to the NGO? Such an implementation would still output the normal key, making it completely compatible with other users of the cryptosystem.

The only way to do this would be to make the algorithm closed source and safeguard its implementation from reverse engineering through intense obfuscation. But nobody in the security community who isn't completely out of their mind would ever trust an algorithm which isn't open to public peer review.

Also keep in mind that the people law enforcement wants to find are those who are already breaking the law. Criminals would have no qualms to encrypt their information with any of the other cryptosystems which are currently available, even when doing so is declared illegal. Unless, of course, the punishment for using non-government-approved encryption software is just as harsh as the punishment for terrorism, murder or abuse of a minor, but that would be hard to justify IMO.

That means you would create an expensive key escrow infrastructure and put a legal shackle on millions of citizens and companies regarding the software they are allowed to use without affecting any of the people you actually want to affect.

"anyone who wants to hide something from law enforcement is likely someone who is already willing to break the law" -- that's what the cops/prosecution will say when it doesn't get a search warrant, anyway. "Are you going to co-operate, sir, or are you hiding evidence of a crime?"
– Steve JessopMay 23 '16 at 14:20

4

Note also that due to this problem you raise, you don't actually need any novel crypto. Just ensure that whenever you encrypt a message, you encrypt it to both the recipient and also to their escrowed key. With PGP for example, there's very little overhead in encrypting a message to multiple recipients because the public key is only used to encrypt a session key, not the whole message. So send it to both Steve and Steve's-escrowed-key. Either way the problem is the same, the system requires the co-operation of those under surveillance.
– Steve JessopMay 23 '16 at 14:33

7

Sure, and that's why I'm wary of statements like "anyone who wants to hide something from law enforcement is likely someone who is already willing to break the law", since that belief gives law-enforcers and politicians a means to stigmatise and even prosecute anyone who chooses to exercise what rights they have. My point isn't a major one in the context of the question, except that the question pre-supposes that everyone using the system waives that right (or more likely that it's removed from them)
– Steve JessopMay 23 '16 at 15:01

17

Good answer. An additional point, which I feel is often overlooked in this sort of discussion, is that breaking crypto is the vast majority of the time no help whatsoever in detecting, preventing or prosecuting a major crime. The Boston Marathon bombers used no crypto. The 1993 World Trade Center bombers used no crypto. The list of major crimes where the perpetrators used no crypto is very long.
– Eric LippertMay 23 '16 at 18:25

2

@Dave Instead of looking for uncrackable safes, try looking for safes which would destroy their contents when cracked. There's just about nothing that can stand against properly applied explosives, but it's far easier to make something that will burn any papers inside when exploded open.
– Patrick MMay 24 '16 at 7:02

On a national level, this is controversial in many countries due to
technical mistrust of the security of the escrow arrangement (due to a
long history of less than adequate protection of others' information
by assorted organizations, public and private, even when the
information is held only under an affirmative legal obligation to
protect it from unauthorized access), and to a mistrust of the entire
system even if it functions as designed. Thus far, no key escrow
system has been designed which meets both objections and nearly all
have failed to meet even one.

As per your statement:

A new algorithm is developed with equal security as the current
standards. In effect, the algorithm that replaces AES would be just as
hard to crack as AES if you do not know the key.

Unless the algorithm has extensively been under scrutiny from the cryptographic community or several independent knowledgeable parties (read: proper academic cryptographers with extensive experience in creating and validating cryptography) this is a very bold statement.

This algorithm generates one extra unique decryption key when used.
This key is then sent via a secure channel (i.e. HTTPS or equivalent)
to an NGO with the sole duty of guarding these keys. As soon as the
tool gets confirmation that it is delivered, the tool securely deletes
this key. The key is always different and strong enough that
brute-forcing is not feasible. In addition, the encryption software
will require a usable connection to the NGO via internet when the
encryption is started to ensure that the key can be sent.

Why would you use HTTPS to send the key, rather than encrypting the key with the NGO's public key? I would use an additional step where the key is encrypted prior to transmitting it over HTTPS.

Once the key arrives, it is stored in an offline, airgapped database that can only be accessed in a single room with rigorous
safety. In addition, the database and the machine it is located have
tamper protection, similar to tamper protection on bank transports:
any access that's out of the ordinary, like too many requests within a
certain period or too many faulty requests, and the machine gets
wiped.

Unless you are properly storing this in a specially designed HSM this does not seem sufficient. This protection mechanism might not be enough in case a person removes hard drives or uses a direct memory attack (in case you are running a regular server).

When a legitimate law enforcement organization has need of a key to decrypt, it sends a formal request to the NGO. The NGO first analyzes
the request based on the importance of the request. the NGO allows
decryption when the suspect is strongly incriminated by other
evidence, and only in the case of terrorism, murder or abuse of a
minor (which are probably the only widely accepted reasons for public
opinion).

Someone who willingly will use a known backdoored algorithm and then commit a crime, using the algorithm to protect their secret is not really smart.

If the NGO allows decryption, a trusted employee of the NGO goes to
the room the database is accessible from and downloads the key on a
read-only medium with similar tamper protection as the database. This
medium is then handed over to the law enforcement organization that
originally requested it. At this point, normal law enforcement will
take over.

This is the biggest issue with key escrows. The trust part is very important and the pitfall of most escrows. The trusted party should definitely be more than one person. A single person should under no circumstances be able to access the key, a multi-eye mechanism of at least 3 to 5 people should be in place.

I think that a word combo "Safe Backdoor" needs medical attention ;) There's NO "GOOD NGO" and NO UNCORRUPTED GOVERNMENTS - Ed Snowden proved it in depth and in full. The answer to this question is an old Apple's official statement, that said : "it's technically impossible to create a key that will work only in a hands of good guys and in a rightful situations"

@Joshua I think that being under such a heavy drug stuff as the question author makes him belive that he can employ angels for this task : maybe that's the NGO he's talking about?
– Alexey VesninMay 26 '16 at 1:48

When a legitimate law enforcement organization has need of a key to decrypt, it sends a formal request to the NGO. The NGO first analyzes the request based on the importance of the request. the NGO allows decryption when the suspect is strongly incriminated by other evidence, and only in the case of terrorism, murder or abuse of a minor (which are probably the only widely accepted reasons for public opinion).

The US has a system called "National Security Letters". These allow the government to compel the release of information under gag order. On day 1, the NGO is ordered to install a backdoor that leaks all keys. All employees would be covered by NSLs and it is illegal for them to whistleblow on this. They could only do so by fleeing permanently to a country that does not have extradition agreements in place with the US, like Edward Snowden has had to do.

OR:

The keys are transmitted over the internet. At this point they're obviously not airgapped. A tap is covertly installed at this point in the NGO.

OR:

The single computer having all the keys transmitted to it becomes the world's highest profile hacker target. It is hacked monthly by competing teams of foreign intelligence agencies and third world hackers.

OR:

There's no reason why people would adopt this unless other encryption was banned, so get ready for the First Amendment case on that again. Also, there's no reason for non-US persons or companies to use it. So people who want to use encryption PGP-encrypt everything before sending it over the compromised encryption channel.

Assuming all of the above is feasible, what problems can arise from this system?

No one has yet mentioned one of the biggest problem with key escrow systems and backdoored crypto, so I will. User adoption. No one is actually going to use a system that allows an unauthorized 3rd party to decrypt their traffic.

The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device, with a built-in backdoor, intended to be adopted by telecommunications companies for voice transmission. It was announced in 1993 and by 1996 was entirely defunct.

In April 21, 2014, NIST withdrew Dual_EC_DRBG from its draft guidance on random number generators recommending "current users of Dual_EC_DRBG transition to one of the three remaining approved algorithms as quickly as possible."

Every time, people either ignore it, or flee at breakneck speed once a backdoor is discovered. Why would anyone want to use your backdoored or escrowed crypto system when there are crypto systems that aren't deliberately broken by design? Even if you could make your key escrow scheme 100% safe, which you can't, it wouldn't matter. People would continue to use free, better alternatives that don't come with a backdoor.

Some disclaimer-like thingy.

Others have made very good points which were partly repetitions of the ones others made before and I don't want to repeat them. So I'm just going to add a little extra which happens to be too long for a comment.

Also, I realize that this answer doesn't included a whole lot of technical details. That's simply because the question is too broad to include all of them. If you have a technical question regarding a specific subtopic, please leave a comment and I'll try to address it.

The actual content.

Redundancy and Control of Information Flow

So there is this centralized facility storing HDDs or magnetic tape or whatever which is built to be really strong against unwanted duplication of keys. It burns down. Or someone in there decides that the whole thing is morally reprehensible. Or something else happens. Tough luck. You better build at least 3 of them. Great, so now you have 3 facilities in different cities to keep track of. You got to make sure that no one copies anything without permission in any of these locations yet you have to make sure that everything is administrated properly. If something gets leaked, you have no way of finding out who did it. At least there doesn't seem to be any remote concept of a plan against this in your description.

Future Laws

So you have a bunch of laws which you deem sensible and somehow figured out the redundancy and control of information flow thing. Great. And I assume you have some authority like being a dictator or representing some idea of a party. At least in this scenario. Awesome.

Except it's not because you won't always have power and there will be people after you changing laws in ways you don't like or find preferable or even despise. They are going to have access to everyones data. So you made that law that the recorded key information can only be accessed if a ton of criteria are fulfilled and the whole thing is super important. You also made sure that there is a law preventing the government from punishing people for things they did when they weren't yet illegal.

Unfortunately, these laws can get changed when someone takes over. Then people can be punished for stuff they did when it was still legal. Like watching and storing porn, criticizing the government, or publishing ideas the government doesn't like. So you might say that it's unlikely that a government will look back and punish people for stuff like that. Well, just look what China did the previous century. That stuff already happened. Look it up, it's a true fact, Wikipedia that. Today it's even worse because we have these machines which can store a ton of information in really small space for little money. And people use it. There wasn't much information to crackdown against government critics in China yet they did it. There is an incredible amount of information now and it will grow.

What even is Encrypted?

Random data (like when you just pipe out /dev/urandom) has maximum entropy. This means many things and one of them is that you can't find any pattern whatsoever. You know what also has maximum entropy? Cyphertext. Yeah, good luck with that one. It's provably impossible to tell random data and encrypted data apart.

Attribution

So you suspect me of having committed a crime. A really, really bad one. And you think that I was stupid enough to use your backdory thing when in fact that's highly unlikely. But let's just assume that I somehow managed to lose enough brain cells to do so. You know that about 1'000* keys have been sent from that cafe close to my home the last year. And suspect that my HDD which only seems to have random data on it or an email which doesn't seem to contain any English words. You know from the previous paragraph that it can be encrypted information. How many keys are you going to try before you give up? How do you even know that I was in that cafe using their wifi when created the encrypted document or container or sent that encrypted email or whatever.

Number of Keys

Yeah, those 1'000 keys I wrote about in the previous paragraph talking about an entire year, a public wifi hotspot, ect. They are created in a few minutes when using single transport keys and / or session keys.

Spam

I start sending 1'000 keys per minute to the government servers. When are they going to stop recording my keys? That's not something like a website request. You can't just stop responding to someone because they are causing a lot of traffic. That's something that has to be recorded.

Not a good idea because it could get me lock up? Well, read the next paragraph.

False Attribution of Spam

So I hack into your ("You" now refers to you as an individual, not as a government.) computer, your phone, your router, your NAS, whatever, I don't care. I get to send stuff in your name, basically. Suddenly there are 1'000 keys per minute sent to the government severs by your IP. And again, they can't just ignore you like if I hacked into one of your systems and loaded whitehouse.gov 1'000 times per minute. They will record it, get angry, and come to you long after I made sure there aren't any traces of someone hacking into one of your system left.

Also note that this is likely to happen because it's a morally reprehensible policy and people are going to fight against it.

You make a very good point here, though I feel it got a little buried: if the ciphertext is kept indefinitely (which, as we know, it is), then any future exposure of the decryption key (whether through compromise, changing legislative landscape or otherwise) will decrypt everything in the past going back to the introduction of this system. That is rife for abuse.
– eggyalMay 26 '16 at 8:59

Assuming all of the above is feasible, what problems can arise from this system?

The problems that arise from the system that others have described all lead back to a single thing. The definition of "safe backdoor" has never been given. Both in your question and in the current discussions that are on-going in the United States and other nations, the "authorities" (i.e., government and law enforcement) have never really said what a "safe backdoor" means. If you don't know what objective you are trying to achieve, how can a proposed technical solution ever be judged to determine if it is sufficient?

all providers of communications services and products (including software) should protect the privacy of United States persons

It then states that

all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive, intelligible information or data, or appropriate technical assistance to obtain such information or data

The draft legislation goes on to define words used within such as "communication", "data", "intelligible", and "technical assistance", but it never defines "privacy" or "timely" and "responsive".

That's because that's law, which is meant to be interpreted, not code, which is meant to be executed.
– a CVnMay 23 '16 at 14:14

@MichaelKjörling, my point exactly. The law is ambiguous and does not spell out the legal requirements, so any implementation of the law must fill in the holes with assumptions. The assumptions made by system designers turn into the problems that arise from the systems.
– mikeazoMay 23 '16 at 14:40

A point not previously mentioned: Double encryption. I.e, you first encrypt your message with your favorite secure non-backdoor method, then send the message encrypted again using the government-sanctioned escrow system. This will look no different than using the escrow system to encrypt plaintext, so as far as the government is concerned, you are an honest citizen making honest communications. And if something happens to make the government suspicious, they can just get out the escrow key, decrypt your messages, and -- OOPS! They've STILL can't tell what you have been doing! OK, yes, now they have you for 'using an unauthorized encryption scheme' - but note that they couldn't have used that fact to justify getting the escrow key in the first place.

OK, yes, now they have you for 'using an unauthorized encryption scheme' - but note that they couldn't have used that fact to justify getting the escrow key in the first place. Which would also require banning crypto, of course... which, actually, they'd have to do anyway in order to get anyone to adopt their broken-by-design crypto system.
– HopelessN00bMay 25 '16 at 22:26

I'm not extremely familiar with this topic, but it seems like the "tamper-proof" database could actually hinder this scheme.

Once the key arrives, it is stored in an offline, airgapped database that can only be accessed in a single room with rigourous safety. In addition, the database and the machine it is located have tamper protection, similar to tamper protection on bank transports: any access that's out of the ordinary, like too many requests within a certain period or too many faulty requests, and the machine gets wiped.

Because (at least I think) there is no way to truly air-gap a database without being able to write the keys to it, hackers could still find a way to spam faulty requests to it.

Then, every time they don't want their communications to be spied on, they spam the database their key was stored in and use the "tamper-proof" against it to wipe their key.

Unidirectional networks exist for this purpose: e.g. a fibre-optic link with the transmitter physically removed at one end (and usually the receiver physically removed at the other).
– eggyalMay 26 '16 at 9:07

@eggyal That still has nothing to do with spamming the faulty requests. It doesn't matter if the database doesn't send anything out; all the hackers (should) have to do is flood it.
– a25bedc5-3d09-41b8-82fb-ea6c353d75aeMay 26 '16 at 10:20

Ah yes—sorry, that serves me right for only skimming! However, I guess the OP might revise the self-destruct plan if a unidirectional network exists.
– eggyalMay 26 '16 at 10:22

@eggyal Yes, I agree. The "self-destruct" feature could be removed without many potential risks (especially if they use the unidirectional network)
– a25bedc5-3d09-41b8-82fb-ea6c353d75aeMay 26 '16 at 10:26

Bravo, excellent question. And you are really close to a secure backdoor system. (For all the naysayers, if you asked these same people if they think an arrangement like this would be appropriate and secure for a company to monitor employees' secure information and I suspect the answers would be different.)

For starters, you don't need a new algorithm you can just use regular public key cryptography. You could either encrypt and send your private key or use a public key provided by the government or whoever. If you use a government key, two cipher texts need to be made, one with the recipient's key and one with the backdoor key. And at that point you have a backdoor which is as secure as the underlying cryptographic method (there are still key storage issues but you seem to understand that well enough).

If a government key is used, they will be able to decrypt the second cipher text created with their key. And if they have the recipient's public key, they will also be able to verify that the contents match what they have by re-encrypting and comparing to the other cipher text.

The main issue with the system you described (everyone sending in their keys) is just keeping track of them. If a single government issued encryption key is used, there's the issue of having a single point of failure to all the encryption relying on the system. But key rotation and multiple keys can mitigate that.

But the major issue with implementation is just user resistance and suitable alternatives. There is an increased attack surface which introduces the possibility of failure outside the control of the user and in exchange for that, they don't seem to get much of value. Then there is the specific issue of a system like this being used by law enforcement. Anyone that they would be getting a court order for their files would view the cops as an adversary. Basic security principles dictate that you should not provide an adversary access to your secure communication. (There is the question of whether shielding criminals is justifiable and if we're talking about not using compromised cryptography and law enforcement as it currently exists then the answer is: yes.)

That being said, there are situations where providing a secure backdoor might be beneficial and at least acceptable to affected parties. And even if we never use it, considering these things is still a useful and interesting exercise.

It seems like most of this answer is talking about talking about the answer and the issue. And you appear to repeat what others have said about key escrow. It's not clear that there is anything new here.
– schroeder♦Feb 18 '18 at 9:45

I believe that answers should usually talk about the issue and the answer. And I don't see any other answers which acknowledge that what is presented in the question can in fact be done securely. I do address key escrow, since it appears in the original question, but I also present an alternative secure backdoor. Perhaps you could point out which other answers you feel mine is duplicating.
– Gabriel WithingtonFeb 21 '18 at 23:05

Sending private keys is actually standard practice. Public key cryptography is typically only used to encrypt a session key and the session key is used to encrypt the data. See the trick is that you encrypt the keys rather than sending them in plain text. Which is exactly what I've done. Are you saying that the common implementation of public key cryptography is insecure? Or did you miss the part where the keys were being encrypted? "Everything else is covered by other answers." does not address which other answers you feel mine is duplicating.
– Gabriel WithingtonFeb 21 '18 at 23:54